News Stay informed about the latest enterprise technology news and product updates.

Citrix patches severe XenDesktop, XenApp security flaw

The virtualization vendor says a severe XenDesktop and XenApp security flaw needs immediate patching, or else an attacker may execute arbitrary code.

Virtualization vendor Citrix Systems Inc. is urging users of its XenApp and XenDesktop products to install new...

patches it has issued for a flaw in the products’ XML Service interface. The vulnerability is rated as severe.

Fort Lauderdale, Fla.-based Citrix said the flaw could be exploited by sending a specially crafted packet to the vulnerable component, enabling a remote, unauthenticated attacker to execute arbitrary code in the context of a service account of a server supporting XenApp, the vendor’s application virtualization product, or XenDesktop, its desktop virtualization platform.

The XML Service can be configured to share a port with Microsoft IIS, or to use its own port. In the case of the latter, the XML Service components will be hosted by the standalone Citrix XML Service, which is implemented by ctxxmlss.exe. Only deployments that make use of ctxxmlss.exe are affected by this vulnerability.

Most versions, with the exception of XenDesktop 5, are affected by the vulnerability.

Although the flaw is rated as severe, Citrix says an attacker would need to be able to access the XML Service interface in order to exploit it, which would not normally be exposed to the Internet.

Nevertheless, the vendor recommends that all customers immediately download and install the Citrix patches, known as hotfixes, listed on its website.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.